The 'undelivered package' text: how the parcel-redelivery SMS scam works

A text arrives. It looks polite, almost apologetic. USPS could not deliver your parcel. FedEx is holding a package. DHL needs you to confirm an address before customs releases your shipment. There is a tracking number that looks real, a small fee under three dollars, and a link that almost — but not quite — matches the carrier's site.

It is a scam. Every "undelivered package" text from a random ten-digit number is a scam, and the script has barely changed in three years because it keeps working.

Why the package angle catches almost everyone

The trick is statistical. Most adults order something online every couple of weeks. If you blast the same lure to a million numbers, a meaningful fraction of recipients are actually waiting on a delivery and want it to arrive. Those are the people who tap the link without thinking too hard about it.

Even people who are not currently expecting anything pause for a beat. A package, somewhere, that I forgot about? A gift? The flicker of curiosity is enough. Curiosity is what the link is hunting.

The script, minus the polish

Strip away the carrier logo and the message looks the same every time:

• A vague claim that something is wrong with your package
• A small, plausible "fee" — usually a dollar or two
• A tracking number that looks real but isn't
• A link to a domain that is not the carrier's actual site
• A soft urgency hook ("within 24 hours," "before return to sender")

The link goes to a counterfeit page that mimics the carrier's logo and colors closely enough to fool a quick scan. You "pay" the fee with a card, and the form happily accepts it. What you have actually done is hand your full card details, billing address, CVV, and phone number to a card-cloning operation. The dollar charge often clears. The follow-up charges, days or weeks later, do not.

The URL is the tell

Real domestic carriers live on boring, well-established domains. USPS is usps.com. FedEx is fedex.com. UPS is ups.com. DHL is dhl.com. Smishers cannot register those, so they improvise:

• usps-redelivery[.]top
• fedex-customs-fee[.]vip
• track-dhl-shipment[.]icu
• ups-package-update[.]cc

If the link in a delivery text ends in .top, .vip, .icu, .cc, .xin, or any country code you do not recognize, it is a scam. Full stop. Legitimate US carriers send tracking links from their own primary .com domain or, occasionally, from the short code they publish on their official site.

Five tells that work in five seconds

Before tapping anything, run through these:

1. The sender. Real carriers text from short codes (five- or six-digit numbers) listed on their official site. Scams arrive from regular ten-digit mobile numbers, often from area codes that have nothing to do with where you live.
2. The domain. Anything that is not the carrier's primary .com is a fake. A subdomain prefix like usps.something-else.com is also a fake.
3. The fee. Domestic carriers do not collect a couple of dollars for redelivery via SMS. Customs duties on inbound international shipments do exist, but they are collected through the carrier's official app or at the door, not via a link in a text.
4. The grammar. Real notifications are short, templated, and grammatically tidy. Scam texts often have an extra space, an odd comma, or a phrase that is almost-but-not-quite English.
5. The tracking number. Type the number into the carrier's actual website by hand. If it returns nothing, or returns a parcel that has nothing to do with you, the text is a scam.

What to do with the message

Do not reply, even with "STOP." Replying confirms a live human read the message, which gets your number sold to other lists. On iOS, tap the sender, choose Report Junk, and delete. On Android, the spam-report flow is built into Messages and Google Voice. In the US, you can also forward the text to 7726 — the universal SPAM short code — and your carrier will use the report to block the campaign.

If you are genuinely expecting a package, open the carrier's app, or type the carrier's URL into your browser by hand, and track from there. If the package is real, it will show up. If the text was a scam, the official site will say nothing about a held parcel — because there isn't one.

The shortest defense: never tap a link in a delivery text. If a carrier needs you, they will be in their app.

If you already tapped

If you only opened the page and did not type anything in, you are almost certainly fine. Close the tab and move on. The page itself rarely installs anything; the trap is the form.

If you entered card details, call the number on the back of your card and ask for an immediate freeze and a new card. Do not wait for a fraudulent charge to appear — by then, the card has already been resold somewhere. New card, new number, ten minutes on the phone.

If a number keeps texting you variations of the same lure, look it up. Knowing who is calling — and who else has reported the same number — is worth more than any spam filter, and it is the small habit that defangs the entire category.